How Unique Is Your Web Browser? (You're being tracked based on how unique your browser settings are)

Electronic Frontier Foundation ^

[LibWhacker]

Abstract. We investigate the degree to which modern web browsers are subject to "device fingerprinting" via the version and con figurtion information that they will transmit to websites upon request. We implemented one possible fingerprinting algorithm, and collected these fingerprints from a large sample of browsers that visited our test site, panopticlick.eff.org. We observe that the distribution of our fingerprint contains at least 18.1 bits of entropy, meaning that if we pick a browser at random, at best we expect that only one in 286,777 other browsers will share its fingerprint. Among browsers that support Flash or Java, the situation is worse, with the average browser carrying at least 18.8 bits of identifying information. 94.2% of browsers with Flash or Java were unique in our sample.

By observing returning visitors, we estimate how rapidly browser fi ngerprints might change over time. In our sample, fingerprints changed quite rapidly, but even a simple heuristic was usually able to guess when a figerprint was an "upgraded" version of a previously observed browser's fingerprint, with 99.1% of guesses correct and a false positive rate of only 0.86%.

We discuss what privacy threat browser fingerprinting poses in practice, and what countermeasures may be appropriate to prevent it. There is a trade off between protection against fingerprintability and certain kinds of debuggability, which in current browsers is weighted heavily against privacy. Paradoxically, anti- fingerprinting privacy technologies can be self- defeating if they are not used by a sufficient number of people; we show that some privacy measures currently fall victim to this paradox, but others do not.

[Salamander]

RATS!

Oh, woops...I mean CATS!

[stupid main screen not turn on]

;]

[Oceander]

Hi, Oceander... When you figure it out, and if it wouldn't be too much trouble, would you kindly summarize what you've found so that all Freepers can make the necessary changes? Again, only if you have the time. I know I sure haven't deciphered it yet and would greatly appreciate a nice, easy to understand primer. Thanks!

I did find an addon for Firefox that should give people some reasonable amount of control over the headers that FF sends out; according to the blog posts by the developer, it works with FF4.

I haven't done any experimentation with it yet, but it does seem to be a reasonably well-developed addon and will almost certainly allow you to modify the silly headers like the system fonts header, which shouldn't cause too much trouble with much of anything (I really cannot think of too many sites that are going to be checking that header to see if they can send you webpages with funky fonts in them).

Also according to the developer of this addon, right now Opera and Google Chrome don't expose the application programming interfaces needed to modify HTTP headers on the fly, although they might in the future.

IE I have no idea about right now; if I come across anything I'll post it up.

[LibWhacker]

Thanks! Is that addon called HeaderControl? The most recent version I can find (v0.1.7) doesn't work with FF4. I at least want to get control of the font situation. From what you and others have said, that sounds like it is perhaps the most significant culprit in making our machines look so damned unique to all the snoops out there.

[Oceander]

Nope. It's another add-on called Modify Headers - nice, short, and to the point, if I do say so. According to the developer, it should be FF4 friendly.

[LibWhacker]

Oh, fantastic, thanks for that! I’m going to install it right away.

[Fresh Wind]

How are fractions of bits possible?

[jellybean]

There is something seriously not right about this test. The first time I ran the test, this was my result:

Within our dataset of several million visitors, only one in 533,751 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 19.03 bits of identifying information.

After taking the test several times, my score gets lower with each test.

This is the latest result:

Within our dataset of several million visitors, only one in 43,285 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 15.4 bits of identifying information.

Either their test is hinky or my browser (Opera) is shutting down identifying characteristics.

[LibWhacker]

They mentioned that in the .PDF paper... Here's what I believe is going on: Let's say they have 3,000,000 entries in their fingerprint database. If you are one of six people who share your fingerprint, they'll report to you that "only one in 500,000 browsers have the same fingerprint as yours."

The next time you take the test, it will think of you as the seventh person to have visited the website with that fingerprint and will report that "only one in 428,571 browsers have the same fingerprint as yours." So, you'll appear to be less unique, that is, less identifiable from a uniqueness point of view. Less unique is good.

But you do not want to repeatedly take the test over and over again because, although that number will decrease each time, it will not be giving you accurate information after your first visit.

You should only re-take the test after you've made major changes in the headers that are handed off from your browser to servers, to see whether or not the changes you've made are actually beneficial from a privacy (uniqueness) point of view.

[LibWhacker]

Okay, I've installed it and read through all the instructions. But I'll be darned if I can figure out how to get it not to pass information about my fonts. Or about the install dates for my addons, e.g.

I did successfully work through the example the author gave and blocked headers related to the iPhone, which I do not own, lol.

Also, I wonder if a person blocks font information, will his online banking be screwed up from then on, for example, because servers will just send out some ugly default font from the old days, like 12-point Courier that'll totally screw up tables, etc?

[My hearts in London - Everett]

Is it possible that we have similar uniqueness due to being FReepers? We have many threads here on FR on net security, etc. Also, I think that many people, liberal and conservative alike, who are net savvy tend to pay attention big time to tracking, net dangers, etc. moreso than casual net surfers.

[webstersII]

“I identified 23 relevant elements on ‘User Agent’ and ‘HTTP_ACCEPT Headers’ alone”

How many of these would you have to change to make your browser look different?

And if you changed them every so often you can’t be consistently identified.

I’m not enough of a conspiracy theorist to believe we are being tracked right now because the amount of info that would have to be stored is so vast it staggers the mind, but it is an interesting issue going forward.

[Moose Burger]

I don’t think people change them themselves; things they install (plugins, extensions, etc) do.

“And if you changed them every so often you can’t be consistently identified.”

It sounds good. Maybe with some “random UA” plugin. If your browser is compatible enough the site optimizations for the browser you’re claiming to be won’t mess up the page too much. Maybe displaying an empty UA string would be enough, if lots of people do that, but some sites will think you’re a bot and maybe lock you out. There’s a chance that random UA will be adopted by bots, making this a moot point :P

HTTP_ACCEPT is another thing. It tells what HTTP features can you use. Randomizing it would degrade performance. Maybe there’s a subset of it that can be shuffled and won’t give trouble, but it’s a gamble.

“...to believe we are being tracked right now...” Well, we most probably aren’t, it’s just like fingerprints, we leave them averywhere.

[Oceander]

I’m sorry I haven’t had time to experiment with it yet. I’ll try to play with it tonight and see if I can figure anything out.

[LibWhacker]

Okay, thanks. Don’t worry about if you don’t have time, though. Been there, done that, and any time you are able to give to it is greatly appreciated. I’ll keep looking at it and playing with it myself, and that sometimes lets me make headway on this sort of thing.

[LibWhacker]

Interesting that you would say that because I first learned about tracking unique browser fingerprints while reading a liberal website. They were all in a frenzy over it.

Libs always make fun of how dumb Republicans are. But Freepers should take heart; I read all the libs’ comments and Freepers are head and shoulders ahead of them in understanding the problem.

[cynwoody]

Take the test here: https://panopticlick.eff.org/??

Your browser fingerprint appears to be unique among the 1,607,432 tested so far.
Currently, we estimate that your browser has a fingerprint that conveys at least 20.62 bits of identifying information.

[Moose Burger]

Oh, and to answer

“How many of these would you have to change to make your browser look different?”

Just one of them would be enough (using this definition of “unique”). All of them have to be the same for two browsers to be considered identical. That’s why it’s so easy to have a unique one.

[cynwoody]

Buy a used computer trade-in from a repair shop. It usually has the original buyer`s administrator`s login defaults locked in and defaults to the original buyer`s email address and windows license info. All the upgrades are registered with the administrator.

Wouldn't help.

The purpose of the fingerprinting is not to identify you, as in name and address and SSN, but to track you as you go from site to site, where each site is using a common ad server, such as doubleclick. If the ad server knows your recent browsing history, it can hit you with ads customized to your apparent interests. They don't know who you are (although some cross checking might reveal your identity in some cases), but they want to know if you are the same you that they've seen before.

They used to use cookies to track to track users from site to site. But cookies can be readily deleted. Fingerprinting is thus probably a more robust method.

[cynwoody]

Just one of them would be enough (using this definition of “unique”). All of them have to be the same for two browsers to be considered identical. That’s why it’s so easy to have a unique one.

I can change my fingerprint just by dragging the window to the other monitor, since my monitors have different resolutions, and screen resolution is part of the fingerprint.

But I highly doubt any outfit who is actually using this technique as a cookie replacement is going for exact matches. They've probably defined some sort of similarity function, and they consider anybody who scores above some threshold to be the same person. That's plenty good enough for their purpose, which is to sharpen up ad delivery and deliver improved audience analytics to their clients. A few false positives or false negatives wouldn't matter.

[Moose Burger]

“But I highly doubt any outfit who is actually using this technique as a cookie replacement is going for exact matches.”

That’s right. I think the panopticlick.eff.org metric is not really very good; that’s why I said “using this definition”. Bad (?) news are, the real uniqueness is much higher when taking “ambiental”/temporal continuity contexts in consideration. I question the “bad” because, well, it’s impossible to do anything in the world without leaving some kind of print. There’s a limit where the paranoia can be useful.